An increase in scanning activity targeting MOVEit Transfer systems has been observed since May 27, 2025, according to threat intelligence firm GreyNoise.
The researchers say that the volume of unique IP addresses probing MOVEit Transfer systems has surged from fewer than 10 daily to over 300 in just 24 hours, which may indicate new exploitation campaigns or reconnaissance for future attacks.
On May 27, GreyNoise recorded over 100 unique IP addresses scanning MOVEit Transfer systems, jumping to 319 IPs the following day. Since then, scanning volumes have remained persistently elevated, fluctuating between 200 and 300 IPs per day.
Over the past 90 days, a total of 682 unique IPs have been observed scanning for MOVEit Transfer, originating from Tencent Cloud (303 IPs), Cloudflare (113 IPs), Amazon (94 IPs), and Google (34 IPs).
Top destination countries include the United Kingdom, United States, Germany, France, and Mexico, with most scanner IPs geolocating to the US.
GreyNoise also reported low-volume exploitation attempts on June 12, linked to two previously disclosed vulnerabilities in MOVEit Transfer: CVE-2023-34362 and CVE-2023-36934. No large-scale exploitation has yet been confirmed.
“This level of infrastructure concentration — particularly within a single ASN — suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing,” GreyNoise noted.
